Basic Logging Standard

BASIC LOGGING STANDARD

Developed to support the implementation of the IT Resource Logging Policy (VII.B.5).

Issued March 1, 2010 from Purdue University Security Officer's Group and ITaP Security and Policy. Questions about this standard can be addressed to itap-securityhelp@purdue.edu.

Introduction:

Logging is an essential information security control that is used to identify, respond, and prevent operational problems, security incidents, policy violations, fraudulent activity; optimize system and application performance; assist in business recovery activities; and, in many cases, comply with federal, state, and local laws and regulations.

This standard applies to all logging activities developed in support of the IT Resource Logging Policy (V.1.7)

Logging Standards:

Log Detail:Centralized and departmental IT units and IT Resource owners or other designated individuals have some flexibility in determining the detail contained in logs of IT Resources within their areas of responsibility. The detail of information contained in an IT Resource log depends on the risks to the relevant IT Resource and underlying data and shall be commensurate with a particular system’s profiled data classification category (e.g., it may be appropriate to have more log detail captured on a system that processes restricted data as opposed to a system that processes only public data).

Factors used to help determine the detail of information in an IT Resource log includes:

Log Review:Logs produced by University IT Resources must be examined on a regular basis in order to protect University IT Resources and data. Frequency and nature of log monitoring and review depends on the risks to the relevant IT Resource and underlying data and shall be commensurate with a particular system’s profiled data classification category.

Factors used to help determine the time period for review of logging activities include:

Log Integrity:Logging facilities and log information should be protected against tampering, modification, destruction, and unauthorized access. Where possible, system administrators should not have permission to erase, deactivate, or modify logs of their own activities.Log Classification and Handling:University IT Resource logs may contain operational and/or confidential data, and must be classified and handled in a manner that is consistent with such data’s classification according to the University’s Data Classification system and Data Handling Requirements. The proper handling requirements for any IT Resource log must, at a minimum, match the highest classification of data which is contained in the log.

University IT Resource owners and/or other designated individuals responsible for implementing the IT Resource Logging Policy and related standards may elevate the data classification of logs within their areas of responsibility if there are special departmental circumstances that require an increased classification and handling requirement.

Log Retention:Some logs may be required to be archived as part of the University’s records retention policy or because of requirements to collect and retain evidence. University policy, departmental policy, and federal, state, or local laws may also specify minimum retention requirements for certain types of logs and log data. Where applicable, those retention requirements must be followed.

In all other instances where no retention requirement applies, University IT Resource owners and/or other designated individuals responsible for implementing the IT Resource Logging Policy and related standards may designate an appropriate retention period for logs produced by University IT Resources within their areas of responsibility.

Compliance

Centralized and departmental IT units and IT Resource owners or other designated individuals are responsible for ensuring appropriate compliance with this standard on University IT Resources within their areas of responsibility.

Additionally, centralized and departmental IT units and IT Resource owners or other designated individuals are responsible for documenting appropriate compliance with this standard on University IT Resources within their areas of responsibility. Documentation should include the type of logging taking place on IT Resources, data classification of the logs, retention periods for the relevant logs, frequency of log review, and brief justification of the detail of information contained in an IT Resource log and the reason that detail is being captured. Documented processes should be periodically reviewed to ensure continued compliance with the IT Resource Logging Policy and this standard.